/apr 10, 2016

TLS Verification in Ruby Client Libraries

By Jason Yeo

A week ago, a couple of security researchers warned about unverified TLS certificates in SSL libraries of some programming languages. You may read more at their blog. In summary, they found that all programming languages do not verify revoked certificates and languages like Python and PHP do not verify certificates in some cases. That is, if you are using Python or PHP to make HTTPS requests, you might be vulnerable to man-in-the-middle attacks.

Since the study only covered 3 languages, namely, Python, PHP and Go, I decided to do a simple study for Ruby to see if its HTTP client libraries are similarly affected.

What I've Found

I wrote a simple script and tested it against 5 libraries using Ruby 2.3.0, the latest stable Ruby:

  1. Net::HTTP
  2. Excon 0.49.0
  3. HTTPClient 2.7.1
  4. Curb 0.9.1
  5. http.rb 1.0.4

table

None of The Libraries Verify Revoked Certificates

As expected, none of the libraries are able to verify revoked certificates as doing this is thought to be non-trivial. Nonetheless, one important point to note is that HTTPClient is the only Ruby client library that allows users to add CRL files.

Excon is The Only Library That Turns Off RC4

RC4 is considered to be insecure and RFC7465 recommends that clients and servers should never use RC4 when they establish TLS connections. However, client libraries do not disable this by default and Excon is the only one that disables this cipher suite.

Excon introduced this in version 0.26.0 by setting the cipher suite setting of the SSLContext object to 'HIGH:!SSLv2:!aNULL:!eNULL:!3DES' by default. By the way, we've included this in our catalog, so if you're a SRC:CLR customer, you're protected.

Curb Doesn't Verify Incomplete Certificate Chains

Curb is a HTTP client library that uses libcurl under the hood. According to a survey, it's preferred by some Ruby developers as they claim that it's the fastest HTTP client library. However, the Curb library has some insecure defaults. Aside from not verifying revoked certificates and using insecure cipher suites, it also doesn't verify incomplete certificate chains.

All Libraries Performs TLS Verification by Default

Gone are the days of setting :use_ssl and verify_mode. If you are using Ruby 2.0.0 and above, you are no longer required to set these two options to perform TLS verification in Net::HTTP. Users simply have to pass a HTTPS URI object to the Net::HTTP.get call to make a GET request:

Net::HTTP.get URI 'https://encrypted.google.com'

The Net::HTTP will automatically turn on :use_ssl and set VERIFY_PEER to turn on TLS verification internally when the URI object's scheme is HTTPS.

Similarly, none of the libraries require you to perform any additional ceremony to turn on TLS verification.

What About My Favorite Libraries Like Faraday and HTTParty?

I have intentionally left out libraries like Faraday and HTTParty as they are wrapper libraries that wrap around one of those basic libraries that I have tested with. HTTParty is a Net::HTTP wrapper that makes using Net::HTTP easier and Faraday provides an interface over the 5 basic libraries. Since they are wrapper libraries that essentially just provide a nicer API, they are probably not opinionated about such TLS settings and will not set any of these for you. But I might be wrong. Do ping us on our @Veracode twitter handle if you spot anything wrong.

type: post

Related Posts

By Jason Yeo

Jason is a software engineer at Veracode working on SourceClear's Agent team.